Site Hacked – 301 Redirects – Looking for Help

My site has been hacked. (Yes, I was using an old version of WordPress.)

One of the many problems I had was the same problem as discussed in this thread about the urls being messed up.

I have found a number of files that were obviously a part of the hack, and I have deleted them, but my site still seems to be hacked. Google is showing my site description to be about buying viagra and cialis. My site title was showing before as being “Cialis,” but I was able to recover that. Still, my site description is messed up.

What is worse, however, is when I go to Google’s webmaster tools and use the “Fetch as Googlebot” tool to see what googlebot sees, a lot of my pages are coming up as being 301 permanently redirected.

Does anyone have suggestions for where I can look to try to find the malicious code?

One of the files I deleted had the following in it. I’ll include it here to see if provides any clues.

Delete your wp-admin and wp-includes folders. Download a fresh copy of WordPress and re-upload them with FTP. Do the same with the files in the root directory, except the .htaccess and wp-config.php file – check those manually for alterations.

Delete all your plugins and re-install them from fresh, newly downloaded good copies.

Check your theme. Ideally, delete it entirely and restore from a known good backup. If you’ve not got a backup and have made customisations, check it manually for suspicious additions.

I started noticing a few sites I visit had these issues – and I could see them in Firefox if I had Firebug AND FirePHP (FirePHP being on is crucial). Seems that whatever this is looks at the User Agent to hide it from the casual viewer, but allow Google to pick it up to increase search engine rankings.

I found this on a blog I’m responsible for — requests to the web site made from the Google user agent returned pages with title tags, titles and body text laden with Viagra and other sex-drug references.

More than 100 hidden files had been uploaded to wp-content/uploads/js_cache/ — these files had names that looked like .%D1BB%C5BD%10E2%888E%C77C%B96F

Removing those files (from the shell I used rm -fr .%*) fixed the problem.